Encryption is useful to secure the contents of an electronic message end-to-end during transmission from a sender to a receiver. In asymmetric cryptography, encryption and decryption is done using a public-private key pair. In symmetric cryptography, encryption and decryption is done using one shared key. Symmetric cryptography is much more efficient computationally compared to asymmetric cryptography.
To encrypt a message such as an electronic mail using symmetric encryption, a shared key has to be agreed upon by the sender and the receiver. If both parties are able to authenticate each other, the sender can use a key negotiation protocol with the receiver to set up a secret shared key, but this still requires that the receiver be online at the time the sender needs to create the shared key for encrypting the message to the receiver. Or, the sender can securely distribute the shared key out-of-band to the receiver, but this is often not practical because that step has to be done for every receiver that the sender wishes to communicate with. Furthermore, in situations where the sender sends multiple messages which are received in a batch by the receiver, the secret shared key may be accessed multiple times by the sender, which could increase the chance of the shared key being compromised.
To overcome the above problems, asymmetric cryptography may be employed. To encrypt a message such as an electronic mail, a shared key again may be used to encrypt the message plaintext into ciphertext. In this case however, the shared key itself is encrypted by the sender using the receiver's known public key and sent to the receiver along with the ciphertext. The shared key is decrypted by the receiver using the receiver's corresponding private key. The decrypted shared key is then used by the receiver to decrypt the ciphertext back into the message plaintext.
A public key infrastructure, PKI, has evolved whereby a certificate attached to a public key is used to attest that a particular public key is bound to or associated with a particular party. The certificate is created and digitally signed by a trusted public key certificate authority, CA, using the CA's private key. To digitally sign a certificate (or any message), the CA would calculate a hash function result for the certificate and encrypt the hash result using the CA's private key. The certificate and its encrypted hash result (digital signature) are attached to the public key and given to the receiver claiming ownership of the public-private key pair. The sender obtaining the receiver's public key verifies the digital signature of the certificate on the public key. This is done by decrypting the certificate's hash result using the CA's well-known public key and matching that with the hash function result calculated directly from the certificate.
However, if the receiver has not acquired a public-private key pair or has not publicized his/her public key, the sender is unable to encrypt the message utilizing the receiver's known public key. Acquiring and managing a public-private key pair appear to be too involved or too much bother in many instances, such as for electronic mail. A user has to go through a fairly involved process to generate a public-private key pair, and then another fairly involved process to obtain a certificate for the public key. A user also has to protect the private key from being found out or stolen. Often the public-private key pair is stored on a user's primary computer, which is not accessible when the user is not using the primary computer. When a primary computer is replaced, the public-private key has to be exported from the old primary computer and imported into a new primary computer. Hence receiver acquisition of a public-private key pair and receiver key management are significant impediments and drawbacks. For the above reasons, among others, e-mail message encryption using PKI is not widely adopted in spite of the obvious security advantages.
A key server provides a method for generating and associating a new public-private key pair for a receiver when a public key that is associated with the receiver e-mail address is not known. However, the new private key of the public-private key pair is not cryptographically secure in the key server. Another related problem is that since the new key pair is publicized to be associated with the receiver e-mail address, a compromised private key of the public-private key pair can be used to digitally sign e-mail that is purported to come from the receiver. The receiver also may not want a public-private key pair that is generated by another party (i.e. sender) to be universally associated with the receiver e-mail address.